What the Gozi Gang Leaders’ Arrests Mean to the Future of the Gozi Trojan

Category

Intelligence

March 08, 2013By Counter Threat Unit™ (CTU) Research Team

The FBI has arrested three individuals and charged them with running a cybercrime operation that has stolen millions from bank accounts worldwide over the past six years.

The criminals delivered exploit code to unsuspecting computer users via email and the web. Vulnerable computers were infected with a malicious program known as Gozi, which possesses sophisticated spyware, backdoor, and bank fraud capabilities. Gozi turned thousands of infected computers into zombies and placed them under the control of cybercriminals.

Gozi bots uploaded a slew of stolen information to their dropzone servers, including passwords, PINs, and identity data such as Social Security numbers, names and birthdates. Possessing everything necessary to assume their victims’ online identities and take control over their accounts, the cybercriminals used the Gozi botnet as a distributed network of proxies through which they would commit fraud while remaining largely undetected.

Through diligent work and cooperation by private security forces and law enforcement authorities, this veil was pierced and the primary masterminds charged with orchestrating Gozi attacks now face justice.

Because of the potential impact to customers protected by our information security services, since discovering the Gozi Trojan in 2007, Dell SecureWorks has remained vigilant, utilizing the Counter Threat Unit™ research team’s threat intelligence capabilities and leveraging the frontline visibility of the expert analysts in our Security Operations Centers to continually identify, understand, and develop countermeasures for Gozi and other similar emerging threats.

One of the challenges with staying ahead of the Gozi threat was the fact that it was developed clandestinely and operated by a very small group of highly capable and experienced cybercriminals. That also describes Gozi’s Achilles heel.

Unlike ZeuS SpyEye, and other top banking trojan threats, Gozi was never designed to be packaged and sold to aspiring cybercriminals on the underground networks. Every installation required custom configurations and depended on services and contributions from the experts who maintained it. The mastermind behind Gozi and his small circle of co-conspirators retained control over the source code and worked directly with each other under exclusive revenue sharing arrangements. This structure limited the amount of intelligence that could be gathered, but it also concentrated the technical know-how and capabilities required to run a profitable Gozi operation into a few key individuals.

When Gozi needed to evolve into a more capable cybercrime platform, the source code to Gozi was handed over to another co-conspirator for re-factoring. At some point, the source code to the latest incarnation of Gozi, a project the masterminds called “PM” (“ПМ”) or “Prinimalka” (“приемник”, meaning “receiver”), was leaked. Because Gozi is not packaged for easy use by novice cybercriminals, it’s unlikely that the code will be used as the basis for a second generation of derivatives, because the bar to entry is higher than with the adoption of other trojan codebases. For example, the same types of tactics can be found in leaked ZeuS source code, along with additional source code and instructions for easily building, configuring, and deploying ZeuS-based derivatives such as Citadel and ICE IX trojans.

There are still small groups of co-conspirators using Gozi to attack bank accounts mostly in Europe and the United States, but they will likely recognize the value in migrating to other, more widely-supported cybercrime platforms. Without active development and support from the Gozi godfather and his indispensable inner circle of co-conspirators, I believe the Gozi threat will cease to evolve and will eventually die through attrition.